SecurityFocus Microsoft Newsletter #98

From: John Boletta (jboletta@securityfocus.com)
Date: 08/05/02

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 5 Aug 2002 09:38:21 -0600 (MDT)
From: John Boletta <jboletta@securityfocus.com>
To: ms-secnews@securityfocus.com

SecurityFocus Microsoft Newsletter #98
--------------------------------------

This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.

With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Advanced Log Processing
     2. Assessing Internet Security Risk, Part Three: an Internet...
     3. Copyright, Security, and the Hollywood Hacking Bill
     4. The Right to Defend
     5. SecurityFocus DPP Program
II. MICROSOFT VULNERABILITY SUMMARY
     1. Microsoft Exchange Server IMC EHLO Response Buffer Overflow...
     2. T. Hauck Jana Server HTTP Server Request Logging Buffer...
     3. Microsoft Outlook Express XML File Attachment Script Execution...
     4. T. Hauck Jana Server POP3 Gateway Username Enumeration...
     5. Adobe eBook Reader File Transfer Authorization Voucher Weak...
     6. T. Hauck Jana Server POP3 Gateway Server Response Buffer...
     7. T. Hauck Jana Server FTP Server PASV Mode Port Exhaustion...
     8. T. Hauck Jana Server SMTP Gateway Server Response Buffer...
     9. T. Hauck Jana Server POP3 Invalid Message Index Denial Of...
     10. Microsoft SQL Server 2000 Database Consistency Checkers Buffer...
     11. Novell GroupWise Internet Agent Buffer Overflow Vulnerability
     12. StatsPlus HTTP Header HTML Injection Vulnerability
     13. Microsoft Metadirectory Services Remote LDAP Client...
     14. Microsoft SQL Server 2000 Replication Stored Procedures...
     15. Microsoft SQL Server 2000 Resolution Service Heap Overflow...
     16. Microsoft SQL Server 2000 Resolution Service Stack Overflow...
     17. PGP Passphrase Cache Expiration Vulnerability
     18. T. Hauck Jana Server SOCKS5 Proxy Server Authentication...
     19. IPSwitch IMail Web Messaging HTTP Get Buffer Overflow...
     20. OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow...
     21. Abyss Web Server HTTP GET Request Directory Contents...
     22. Multiple Browser Vendor Same Origin Policy Design Error...
     23. OpenSSL SSLv3 Session ID Buffer Overflow Vulnerability
     24. Microsoft SQL Server 2000 Resolution Service Denial of...
     25. KaZaA Media Desktop Large Message Denial Of Service Vulnerability
     26. phpBB2 Gender Mod Remote SQL Injection Vulnerability
     27. ShoutBox Form Field HTML Injection Vulnerability
     28. Microsoft Windows Media Player Filename Buffer Overflow...
     29. Microsoft Office XP/Internet Explorer OWC File Creation...
     30. Sympoll File Disclosure Vulnerability
     31. IPSwitch IMail Web Calendaring Incomplete Post Denial Of...
     32. OpenSSL ASN.1 Parsing Error Denial Of Service Vulnerability
     33. Frederic Tyndiuk Eupload Plain Text Password Storage...
     34. OpenSSL ASCII Representation Of Integers Buffer Overflow...
     35. T. Hauck Jana Server HTTP Proxy Server Request Logging Buffer...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Linux firewall/ISA Server (Thread)
     2. windows update reporting info back to MS? (and .NET fw SP1)...
     3. Windows 2000 special folder restrictions (Thread)
     4. W2000 Server lockout issue (Thread)
     5. local admin passwords (Thread)
     6. Flush.exe & Flushserv.exe (Thread)
     7. FW: secure remote management of nt4 and w2k servers (Thread)
     8. Good software against spam (Thread)
     9. IIS SMTP queue reader (Thread)
     10. Update Expert (Thread)
     11. HFNETCHKpro (Thread)
     12. change the nt-password in a other domain (Thread)
     13. HFNETCHKpro? (Thread)
     14. Auditing ACL Changes (Thread)
     15. restricting MMC with GPO for SQL Enterprise Manager (Thread)
     16. Laptop Encryption (Thread)
     17. AW: hfnetchk reporting (Thread)
     18. Securing Laptops (Thread)
     19. Registry key for "QueryIpMatching" (Thread)
     20. Setting Account Lockout Policies with a NT PDC (Thread)
     21. hfnetchk reporting (Thread)
     22. Anyone know this scan/tool? (Thread)
     23. FW: Anyone know this scan/tool? (Thread)
     24. Fw: Setting Account Lockout Policies with a NT PDC (Thread)
     25. Issues/Concerns with Exchange 2000 SP3 (Thread)
IV. MICROSOFT PRODUCTS
     1. Silver Key
     2. STAT Scanner
     3. TGB::BOB!
V. MICROSOFT TOOLS
     1. Autopsy Forensic Browser v1.6
     2. BO2Klean
     3. EGADS v0.9
     4. DreamSys Server Monitor v3.1
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Advanced Log Processing
By Anton Chuvakin

Reading logs is a crucial part of incident detection and response.
However, it is easy for security personnel to be overwhelmed by the sheer
volume of logs. This article will offer a brief overview of log analysis,
particularly: log transmission, log collection and log analysis. It will
also briefly touch upon log storing and archival.

http://online.securityfocus.com/infocus/1613

2. Assessing Internet Security Risk, Part Three: an Internet Assessment
Methodology Continued
by Charl van der Walt

This article is the third in a series that is designed to help readers to
assess the risk that their Internet-connected systems are exposed to. In
the first installment, we established the reasons for doing a technical
risk assessment. In the second part, we started to discuss the methodology
that we follow in performing this kind of assessment. In this installment,
we will continue to discuss methodology, particularly visibility and
vulnerability scanning.

http://online.securityfocus.com/infocus/1612

3. Copyright, Security, and the Hollywood Hacking Bill
By Richard Forno

Proposed copyright enforcement legislation may allow the powerful
entertainment lobby to circumvent fundamental constitutional protections,
and may create chaos on the Internet.

http://online.securityfocus.com/columnists/99

4. The Right to Defend
By Tim Mullen Jul 29, 2002

When it comes to matters of security, most policies are hastily enacted as
a reaction to some pressing force or foe. This is evident when you look at
the rash of laws, procedures and policies put in place since September 11.
I guess it is only natural-- our fragile human psyche requires immediate
comfort in the face of danger; our fears only resting when we know
something is being done, even if that "something" equates to nothing at
all.

http://online.securityfocus.com/columnists/98

5. SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!!
Sign-up now for preferred pricing on the only global early-warning system
for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Exchange Server IMC EHLO Response Buffer Overflow Vulnerability
BugTraq ID: 5306
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5306
Summary:

Microsoft Exchange Server includes a component called Internet Mail
Connector (IMC) that allows an Exchange server to communicate with remote
SMTP servers. A vulnerability exists in this component that may allow for
remote attackers to execute arbitrary code on Exchange servers under
specific circumstances.

The exploitable condition occurs when the affected server is generating a
response to a Extended Hello (EHLO) SMTP command received from a remote
server. An unbounded string creation routine (likely sprintf()) is used
to construct the response string in memory. As externally supplied data
is included in the construction of this string, the unbounded string
creation may be exploited to overwrite stack memory and execute arbitrary
code.

The external data included in the string is obtained through a reverse
lookup. To exploit this vulnerability, an attacker would require
authority over his address space and map a PTR hostname of excessive
length to the attacking IP address. Furthermore, a replacement return
address and possibly shellcode would also be embedded. It is possible
that the non-printable bytes that compromise malicious FQDN may be
rejected by the victim's DNS server/resolver implementation.

These specific circumstances complicate exploitability and make real-world
attacks unlikely. Theoretically, the vulnerability is exploitable and
administrators are advised to apply the patch as soon as possible.

It should be noted that versions prior to 5.5 may also be vulnerable.
This is not confirmed as earlier versions are no longer supported.

2. T. Hauck Jana Server HTTP Server Request Logging Buffer Overflow Vulnerability
BugTraq ID: 5319
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5319
Summary:

Jana Server is a server for Microsoft Windows based systems. In addition
to performing a wide range of proxy server functions, it supports an HTTP
server.

A buffer overflow vulnerability has been reported in the HTTP server. If
an extremely long HTTP request is received, the server will crash when
attempting to log the request. This has been reported to be the result of
a buffer overflow condition.

The malicious request will take the following form:

GET / HTTP/[buffer].0

Due to the nature of this vulnerability, it may be possible for a remote
attacker to execute arbitrary code as the server process. Reportedly, Jana
Server runs with SYSTEM privileges on Windows NT systems. The ability to
execute arbitrary code has not yet been confirmed.

3. Microsoft Outlook Express XML File Attachment Script Execution Vulnerability
BugTraq ID: 5350
Remote: Yes
Date Published: Jul 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5350
Summary:

An error has been reported in Microsoft Outlook Express which may allow
malicious XML file attachments to execute arbitrary code in the context of
the local system. Code execution could occur when the file attachment is
opened, without further prompting or user interaction. By default, XML
documents may be considered 'safe', and open without a warning prompt.

XSL stylesheets can be associated with XML documents. Additionally, some
XSL information can be embedded within an XML document. As XSL may contain
script code, the usage of XSL is normally restricted with documents
executing within sensitive security zones such as the Internet Zone.

It is, however, possible to include some script code in an XML file. As
XML files are considered safe, an XML attachment may be opened from within
Outlook without further prompting. Some embedded script code may still
execute, despite the generation of an XML parsing error. When script code
included in style information executes, it is able to determine the
location of the document, and in turn the location of the Temporary
Internet File (TIF) directory the document is stored in.

Information about the location of the TIF directory can be used to
reference additional malicious attachements, including executable content,
within the context of the local file system. This can in turn lead to the
execution of arbitrary code within the Local System security zone.

This behavior has been reported in Outlook Express 6. Other versions of
Outlook may share this vulnerability, this has not however been confirmed.

4. T. Hauck Jana Server POP3 Gateway Username Enumeration Vulnerability
BugTraq ID: 5326
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5326
Summary:

Jana Server is a server for Microsoft Windows based systems. Jana Server
provides a wide range of proxy servers, and a number of other services. A
POP3 gateway service is provided.

An error has been reported in the POP3 gateway server included with Jana
Server. It is a widely accepted security practice that authentication
error messages do not distinguish between the case where an invalid
username is submitted, and that where an invalid password is submitted.
This prevents a malicious party from determining if they have acquired or
guessed a valid system username.

Jana Server does not obey this property in authentication, which takes
place through the POP3 gateway. Exploitation of this vulnerability may aid
an attacker in gathering information about the system or internal network.

Reportedly, the POP3 gateway also allows an unlimited number of password
attempts. This may allow a brute force password attack against a verified
username.

5. Adobe eBook Reader File Transfer Authorization Voucher Weak Algorithm Vulnerability
BugTraq ID: 5358
Remote: No
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5358
Summary:

Adobe eBook Reader is a client side application which is able to view
Adobe eBooks, available for Microsoft Windows and Macintosh OS 9. eBooks
are electronic books which provide some protection for content. Users may
own and view a book, but have limited rights to transfer the content.

Reportedly, an eBook may be transferred to a different computer by backing
up the book content and a number of datafiles. When the eBook is opened,
however, the user will be prompted for a new authorization voucher, and
given a challenge string. Normally, the user must contact Adobe for an
updated voucher response.

It has been reported that the encryption scheme used for this challenge /
response cycle is fundamentally flawed. Allegedly, both the challenge and
response can be computed using commonly available cryptographic
algorithms. Additionally, the secret information required to generate both
strings is stored within the eBook Reader executable file, which is
available to the local user.

Full details on the algorithms used have not been provided. It is not
unreasonable, however, to assume that a skilled attacker could derive the
details of the algorithm through experimentation.

As a result, a malicious user may freely transfer eBook content between
computers.

6. T. Hauck Jana Server POP3 Gateway Server Response Buffer Overflow Vulnerability
BugTraq ID: 5322
Remote: No
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5322
Summary:

Jana Server is a server for Microsoft Windows based systems. Jana Server
provides a wide range of proxy servers, and a number of other services. A
POP3 gateway service is provided.

A buffer overflow vulnerability has been reported in the POP3 gateway
service. A malicious server may return an oversized reply to Jana Server.
This may result in the corruption of process memory, and the vulnerable
server crashing.

It has been reported possible to exploit this condition by returning an
oversized argument to the '+OK' response.

7. T. Hauck Jana Server FTP Server PASV Mode Port Exhaustion Denial Of Service Vulnerability
BugTraq ID: 5325
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5325
Summary:

Jana Server is a server for Microsoft Windows based systems. Jana Server
provides a wide range of proxy servers, and a number of other services,
including a FTP server.

A design error exists in the FTP server included with Jana Server that may
allow an authenticated remote user to create a denial of service
condition. When the FTP PASV command is used, the FTP server will open a
TCP connection on a new port. Reportedly, this connection does not time
out, and will remain open indefinitely. A malicious user may make a number
of PASV requests and exhaust all TCP ports on the vulnerable system,
creating a system wide denial of service condition.

8. T. Hauck Jana Server SMTP Gateway Server Response Buffer Overflow Vulnerability
BugTraq ID: 5324
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5324
Summary:

Jana Server is a server for Microsoft Windows based systems. Jana Server
provides a wide range of proxy servers, and a number of other services. A
SMTP gateway service is provided.

A buffer overflow vulnerability has been reported in the SMTP gateway
service. A malicious server may return an oversized reply to Jana Server.
This may result in the corruption of process memory, and the vulnerable
server crashing.

9. T. Hauck Jana Server POP3 Invalid Message Index Denial Of Service Vulnerability
BugTraq ID: 5327
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5327
Summary:

Jana Server is a server for Microsoft Windows based systems. Jana Server
provides a wide range of proxy servers, and a number of other services. A
POP3 mail server is included.

Reportedly, Jana Server does not properly validate POP3 message index
values received from the client. A malicious user may specify a large,
invalid message index. The server will attempt to access this message and
crash due to a memory error.

POP3 commands of the following form are sufficient to exploit this issue:

RETR 1000000 or DELE 1000000

Exploitation of this vulnerability may result in a denial of service
condition for other users of the server. A restart may be required in
order to regain normal functionality.

10. Microsoft SQL Server 2000 Database Consistency Checkers Buffer Overflow Vulnerability
BugTraq ID: 5307
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5307
Summary:

SQL Server 2000 is a commercially available enterprise level database
product from Microsoft.

There are utilities that come with SQL Server and the Microsoft Desktop
Engine called Database Consistency Checkers (DBCC). These are command
console utilities that allow various maintenance functions and other
operations to be performed on the SQL Server.

Several of the DBCCs contain identical buffer overflow vulnerabilities in
areas of the code that handle user input. Successfully exploiting the
vulnerability can lead to arbitrary code execution with the privilege
level of the SQL Server service account.

Most DBCCs can only be executed by database administrator users, however,
users who have been assigned either the db_owners db_ddladmin fixed server
roles can also execute one or more of these DBCCs.

11. Novell GroupWise Internet Agent Buffer Overflow Vulnerability
BugTraq ID: 5313
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5313
Summary:

Novell GroupWise is an email, calendaring and collaborative application
available from Novell. It is designed for use on Novell Netware platforms,
and includes a web access component for use through a web browser. The
GroupWise client application runs on Microsoft Windows platforms.

A buffer overflow vulnerability has been reported in Novell GroupWise
6.0.1 with Support Pack 1. Reportedly, this vulnerability occurs in the
Internet Agent, which is a MTA (Mail Transfer Agent) for Novell GroupWise.

It is possible for an attacker to cause a buffer overflow condition in the
Internet Agent by supplying an overly long string and using it as an
argument for the 'RCPT TO' field when composing emails. This will cause
the Internet Agent to crash.

An attacker needs to supply a string consisting of approximately 682
characters to cause Internet Agent to crash. This will result in the
Internet Agent failing to serve any more legitimate requests thus leading
to a denial of service.

As this vulnerability is due to a buffer overflow condition, code
execution is possible. However, this has not been tested or confirmed.

12. StatsPlus HTTP Header HTML Injection Vulnerability
BugTraq ID: 5316
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5316
Summary:

StatsPlus is software for tracking web site usage. It is available for
Microsoft Windows operating systems and Unix and Linux variants.

StatsPlus is prone to HTML injection attacks.

StatsPlus logs information about incoming requests to monitored webpages.
HTTP headers such as the HTTP_USER_AGENT and HTTP_REFERER are logged by
the software. StatsPlus does not sufficiently sanitize HTML when logging
these fields. An attacker may create false HTTP_USER_AGENT and
HTTP_REFERER headers which contain arbitrary HTML and script code and it
will be stored on the statistics page (stat.html).

An attacker may exploit this issue to cause arbitrary script code to be
executed in the browser of users who visit the statistics page, in the
security context of the website hosting the page.

13. Microsoft Metadirectory Services Remote LDAP Client Administration Vulnerability
BugTraq ID: 5308
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5308
Summary:

A problem has been discovered in Microsoft Metadirectory Services (MMS)
that could allow a user of an LDAP client to gain administrative access.

MMS is designed to tie together authentication between several different
infrastructures, including databases, exchange directories, and active
directories.

MMS allows a remote user with an LDAP client to change data on a
vulnerable server. A flaw in authentication design allows the user of the
LDAP client to connect to the MMS repository, modify data, change the MMS
configuration, and/or replicate the bogus data in other repositories.

This could allow an attacker to gain access to accounts managed by the MMS
server, and potentially administrative access on the server or other
systems.

14. Microsoft SQL Server 2000 Replication Stored Procedures Injection Vulnerability
BugTraq ID: 5309
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5309
Summary:

SQL Server 2000 is a commercially available enterprise level database
product from Microsoft.

It is possible to inject operating system commands into the SQL Server
database due to a vulnerability in two stored procedures used during
replication. These stored procedures do not validate input that is passed
to them, thus allowing a user to inject custom SQL and potentially
operating system commands.

One of the two stored procedures can only be accessed by users who are
database administrators or are members of the db_owner fixed database
role. The other stored procedure should require the same level of
privileges, but due to an error in the permissions, it can be accessed by
any user that can log into the server interactively.

This vulnerability can only be exploited if the SQL Server administrator
has enabled the SQL Server Agent Proxy account.

15. Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability
BugTraq ID: 5310
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5310
Summary:

A vulnerability has been discovered in Microsoft SQL Server 2000 that
could make it possible for remote attackers to gain access to target
hosts.

A problem in the SQL Server Resolution Service makes it possible for a
remote user to execute arbitrary code on a vulnerable host. An attacker
could exploit a heap-based overflow in the resolution service by sending a
maliciously crafted UDP packet to port 1434.

UDP port 1434 is designated as the Microsoft SQL Monitor port. Clients
connect to this port to discover how connections to SQL Server should be
made. When SQL Server receives a packet that starts with byte 0x08
followed by an overly long string and ending with a ':' and terminated by
a number, the heap overflow is triggered. This causes key memory
structures necessary for normal operations to be corrupted.

If the packet consists of data not specifically designed to cause code
execution, a denial of service may result. It may be possible to
custom-craft the exploit code to execute arbitrary instructions in the
security context of the SQL Server. This may provide a remote attacker
with local access on the underlying host.

16. Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability
BugTraq ID: 5311
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5311
Summary:

A vulnerability has been discovered in Microsoft SQL Server 2000 that
could make it possible for remote attackers to gain access to target
hosts.

A problem in the SQL Server Resolution Service makes it possible for a
remote user to execute arbitrary code on a vulnerable host. An attacker
could exploit a stack-based overflow in the resolution service by sending
a maliciously crafted UDP packet to port 1434.

UDP port 1434 is designated as the Microsoft SQL Monitor port. Clients
connect to this port to discover how connections to SQL Server should be
made. When SQL Server receives a packet that starts with byte 0x04
followed by four 'A' characters, SQL Server attempts to open the following
registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL
Server\AAAA\MSSQLServer\CurrentVersion.

If a large number of bytes are appended to the packet the buffer overflow
condition is triggered resulting in the attacker overwriting key areas in
memory and obtaining control over the SQL Server process. It may be
possible to custom-craft the exploit code to execute arbitrary
instructions in the security context of the SQL server. This may provide
a remote attacker with local access on the underlying host.

17. PGP Passphrase Cache Expiration Vulnerability
BugTraq ID: 5318
Remote: No
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5318
Summary:

Pretty Good Privacy is the general-purpose encryption application
distributed and maintained by Network Associates. This problem affects
users of the software on the Microsoft Windows platforms.

A problem with PGP could make the recovery of passphrases possible.

It has been reported that some versions of PGP do not sufficiently expire
cached passphrases. PGP offers passphrase cache expiration as a means of
preserving a user's passphrase in the event that a different application
gains access to system memory, and is able to view the contents of a
user's session in memory.

PGP may not expire cached passphrases after the user-specified amount of
time. Additionally, cached passphrases may be stored in memory until a
user terminates their session on a system, which could potentially result
in an application recovering the passphrase from system memory. This
could result in a compromise of the integrity of information encrypted by
a user of PGP.

It should be noted that this vulnerability is present only with the most
current patches applied to PGP 7.0.4.

18. T. Hauck Jana Server SOCKS5 Proxy Server Authentication Buffer Overflow Vulnerability
BugTraq ID: 5321
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5321
Summary:

Jana Server is a server for Microsoft Windows based systems. Jana Server
provides a wide range of proxy servers, and a number of other services. A
SOCKS5 proxy server is included.

A buffer overflow vulnerability has been reported in the SOCKS5 proxy
server. Reportedly, when authenticating a client, a username, password or
hostnamed longer than 127 characters may cause an error. This may be due
to the incorrect usage of a signed value as an array index.

19. IPSwitch IMail Web Messaging HTTP Get Buffer Overflow Vulnerability
BugTraq ID: 5323
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5323
Summary:

IMail is a commercial email server software package distributed and
maintained by Ipswitch, Incorporated. IMail is available for Microsoft
Operating Systems.

A problem with IMail could make it possible for a user to potentially
execute code on a vulnerable server.

IMail includes a web server as part of the features package. The web
server included with IMail provides users with an interface to perform Web
Messaging. The web messaging interface by default runs on port 8383/TCP.

The web messaging server is vulnerable to a buffer overflow. When the
server receives a request for HTTP version 1.0, and the total request is
96 bytes or greater, a buffer overflow occurs. This could result in the
execution of attacker-supplied instructions, and potentially allow an
attacker to gain local access.

** Ipswitch has reported they are unable to reproduce this issue. In
addition, Ipswitch has stated that the supplied, third party patch may in
fact open additional vulnerabilities in the product. Ipswitch suggests
that users do not apply the supplied patch. If the patch has been applied,
users are advised to disable the service and investigate the system for
signs of compromise.

20. OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability
BugTraq ID: 5363
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5363
Summary:

OpenSSL is an open source implementation of the SSL protocol. It is used
by a number of other projects, including but not restricted to Apache,
Sendmail, Bind, etc.. It is commonly found on Linux and Unix based
systems.

A buffer overflow vulnerability has been reported in some versions of
OpenSSL.

When initiating an OpenSSL session, some information is shared between the
client and the server, including key data. The reported vulnerability lies
in the handling of the client key value during the negotiation of the
SSLv2 protocol.

A malicious client may exploit this vulnerability by transmitting a
malformed key to the vulnerable server. Careful exploitation may result in
execution of arbitrary code as the server process, and the attacker
gaining local access to the vulnerable system. More primitive attacks may
result in the server process crashing, possibly producing a denial of
service condition.

The consequences of exploitation may vary with the nature of the
application using OpenSSL.

Oracle reports that CorporateTime Outlook Connector is only vulnerable
under Microsoft Windows 98, NT, 2K, and XP.

** This vulnerability was originally part of BID 5353, Multiple OpenSSL
Buffer Overflow Vulnerabilities. It has now been reissued as a separate
vulnerability.

21. Abyss Web Server HTTP GET Request Directory Contents Disclosure Vulnerability
BugTraq ID: 5345
Remote: Yes
Date Published: Jul 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5345
Summary:

Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.

A vulnerability has been reported for Abyss Web Server 1.0.3 running on a
Microsoft Windows platform. It is possible for an attacker to make a
request such that the contents of the specified directory are revealed.

The vulnerability occurs due to the manner in which excessive '/'
characters are handled in web requests. An attacker making a GET request
followed by 256 '/' characters will cause Abyss Web Server to return an
error page containing the directory listing of the specified directory.

An attacker may be able to use this information to launch further,
potentially damaging attacks, against a vulnerable system.

22. Multiple Browser Vendor Same Origin Policy Design Error Vulnerability
BugTraq ID: 5346
Remote: Yes
Date Published: Jul 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5346
Summary:

In modern browsers, script code executing in the context of one website
should not be able to access the properties of another. This is a
security feature known as the 'same origin policy'. It is put in place to
prevent malicious websites from interacting with and possibly stealing
sensitive information from others in different windows. The current
specification of the same origin policy is flawed such that it creates a
vulnerability under some circumstances.

Only hostnames are used when evaluating whether access to content by
script code should be permitted -- the IP address is not taken into
consideration. If the IP address associated with a hostname were to
change in DNS records, content served from a second host may be accessed
by script code served from the first. This could theoretically be
exploited to access content served from behind a firewall (or on an
internal network).

Further simplifying attack, the Same Origin Policy allows for DOM access
privileges to be inherited across subdomains, for example: script from
xxxx.yyy may access content in a child window opened to zzz.xxxx.yyy.
This eliminates the need to quickly change a DNS record. To exploit this,
the attacker need only create a subdomain with an address behind the
victim firewall.

Exploitation of this vulnerability may result in disclosure of sensitive
information, enumeration of hosts behind a firewall or accessing of
internal web services (XML-RPC/SOAP requests may also be possible).

23. OpenSSL SSLv3 Session ID Buffer Overflow Vulnerability
BugTraq ID: 5362
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5362
Summary:

A vulnerability has been reported for OpenSSL. The vulnerability affects
SSLv3 session IDs.

When initiating contact with SSLv3 servers, clients and servers alike
exchange information. Session information is stored in a session key with
a unique session ID.

Reportedly when a an oversized SSL version 3 session ID is supplied to a
client from a malicious server, it is possible to overflow a buffer on the
remote system. This could result in key memory areas on the vulnerable,
remote system being overwritten, including stack frame data.

An attacker may be able to take advantage of this vulnerability to execute
malicious code on a vulnerable SSLv3 client machine.

Oracle reports that CorporateTime Outlook Connector is only vulnerable
under Microsoft Windows 98, NT, 2K, and XP.

** This vulnerability was originally part of BID 5353, Multiple OpenSSL
Buffer Overflow Vulnerabilities. It has now been reissued as a separate
vulnerability.

24. Microsoft SQL Server 2000 Resolution Service Denial of Service Vulnerability
BugTraq ID: 5312
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5312
Summary:

SQL Server 2000 is a commercially available enterprise level database
product from Microsoft.

SQL Server 2000 uses a keep-alive mechanism that operates through the
Resolution Service.

If the keep-alive function receives a particularly crafted data packet, it
will reply with an identical packet. If one SQL Server sent a data packet
that was crafted in this way to another SQL Server's keep-alive function,
the second SQL Server would respond with an identical packet, causing the
two servers to enter an endless loop of such packets. Eventually, both
servers will consume all available resources, resulting in a denial of
service condition.

It is important to note that an SQL Server will never send the particular
packet needed to exploit this vulnerability to another SQL Server under
normal operating conditions. An attacker would have to send one SQL
Server the packet with a spoofed source address belonging to a second SQL
Server.

25. KaZaA Media Desktop Large Message Denial Of Service Vulnerability
BugTraq ID: 5317
Remote: Yes
Date Published: Jul 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5317
Summary:

KaZaA Media Desktop is a peer to peer file sharing utility, available for
Microsoft Windows based systems. A denial of service vulnerability has
been reported in some versions of KaZaA Media Desktop.

KaZaA may consume large amounts of CPU when processing a sequence of large
messages. It is possible for an attacker to flood a vulnerable system with
a large number of messages, causing the KaZaA process to consume all
available processor time. This may result in a denial of service
condition.

26. phpBB2 Gender Mod Remote SQL Injection Vulnerability
BugTraq ID: 5342
Remote: Yes
Date Published: Jul 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5342
Summary:

phpBB2 is an open-source web forum application that is written in PHP and
backended by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

Gender Mod is a modification for phpBB2 which allows the association of a
gender with a given user profile. A SQL injection vulnerability has been
reported in this mod.

A malicious user may modify the specified value for 'gender' when updating
their profile. It is possible to include additional SQL statements in this
string, and subvert the SQL statement used to update the user profile.

It has been reported possible to gain administrative access to the phpBB2
site through exploitation of this issue. Other attacks may be possible,
including the ability to view sensitive database information or to modify
additional information stored in the database.

27. ShoutBox Form Field HTML Injection Vulnerability
BugTraq ID: 5354
Remote: Yes
Date Published: Jul 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5354
Summary:

shoutBOX is web-based user feedback software. It is written in PHP and
runs on Unix and Linux variants as well as Microsoft Windows operating
systems.

ShoutBox does not sufficiently sanitize HTML tags from input supplied via
form fields. In particular, the user website URL field of the feedback
form is not sanitized of HTML tags.

Attackers may exploit this lack of input validation to inject arbitrary
HTML and script code into pages that are generated by the script. This
may result in execution of attacker-supplied code in the web client of a
user who visits such a page. HTML and script code will be executed in the
security context of the site hosting the software.

This condition may be exploited to hijack web content or potentially steal
cookie-based authentication credentials.

28. Microsoft Windows Media Player Filename Buffer Overflow Vulnerability
BugTraq ID: 5357
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5357
Summary:

The Microsoft Windows Media Player executable is prone to a buffer
overflow condition.

This is due to insufficient bounds checking of filenames which are
supplied when the executable is invoked by a user. It has been reported
that this condition occurs when a filename of 279+ characters is supplied.
A valid file extension (such as .mp3) must be supplied with the oversized
filename. This will cause the stack of the vulnerable function in process
memory to be corrupted with attacker-supplied data, which may allow for
execution of arbitrary code.

Since the program is executed in the context of the user invoking it, it
is not likely that a local attacker could exploit this issue to gain
elevated privileges. However, if the program can be invoked remotely or a
user can be somehow enticed into invoking the program with a malformed
filename, then this may be exploited by an attacker. Realistically,
another exposure or vulnerability would have to exist on the host system
for an attacker to exploit this issue.

It is not currently known exactly which versions of the software are
affected.

29. Microsoft Office XP/Internet Explorer OWC File Creation Vulnerability
BugTraq ID: 5359
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5359
Summary:

A reliable source has announced a vulnerability affecting users of
Microsoft Internet Explorer and Microsoft Office XP.

The vulnerability is related to Office Web Components (OWC), a set of
plugins for MSIE that have been taken off of Microsoft's website for
security reasons.

As described in Bugtraq ID 4398, it is possible to use the Microsoft
spread*** component Host() function to create files on a client system.
While this issue was addressed in a vendor-supplied fix, it is still
possible to abuse this functionality via Internet Explorer. In this
specific instance, it is possible to abuse OWC in combination with a
malicious .xls or .xla file to cause an almost arbitrary file to be
written to a client system.

This issue affects systems that still have OWC installed and may be
exploited from a malicious webpage.

30. Sympoll File Disclosure Vulnerability
BugTraq ID: 5360
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5360
Summary:

Sympoll is web-based voting booth software. It is implemented in PHP and
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.

Sympoll is prone to an issue which may allow remote attackers to disclose
the contents of arbitrary webserver readable files. This vulnerability is
only present on hosts which are running the vulnerable version of the
software and have the PHP 'register_globals' directive enabled. The
source of this vulnerability is reported to be insufficient integrity
checking of variables.

The vendor has stated that this issue is only believed to affect Sympoll
version 1.2.

Exploitation of this issue on Microsoft Windows operating systems may
potentially expose arbitrary system files since webservers typically run
in the SYSTEM context.

31. IPSwitch IMail Web Calendaring Incomplete Post Denial Of Service Vulnerability
BugTraq ID: 5365
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5365
Summary:

IMail is a commercial email server software package distributed and
maintained by Ipswitch, Incorporated. IMail is available for Microsoft
Operating Systems.

A problem has been discovered in the web calendaring service that could
lead to a denial of service.

When a HTTP POST command is made to the web calendaring service on port
8484, and the "content-length:" header field is blank, the service becomes
unstable. It has been reported that such a transaction with the service
results in a crash of the iwebcal service. This could allow users to deny
service to other legitimate users of the service.

It should be noted that the service will not resume normal operation
unless restarted manually.

32. OpenSSL ASN.1 Parsing Error Denial Of Service Vulnerability
BugTraq ID: 5366
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5366
Summary:

A remotely exploitable denial of service condition has been reported in
the OpenSSL ASN.1 library.

This vulnerability is due to parsing errors and affects SSL, TLS, S/MIME,
PKCS#7 and certificate creation routines. In particular, malformed
certificate encodings could cause a denial of service to server and client
implementations which depend on OpenSSL.

Oracle reports that CorporateTime Outlook Connector is only vulnerable
under Microsoft Windows 98, NT, 2K, and XP.

** This vulnerability was originally part of BID 5353, Multiple OpenSSL
Buffer Overflow Vulnerabilities. It has now been reissued as a separate
vulnerability.

33. Frederic Tyndiuk Eupload Plain Text Password Storage Vulnerability
BugTraq ID: 5369
Remote: Yes
Date Published: Jul 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5369
Summary:

Frederic Tyndiuk Eupload is a small script designed to facilitate
uploading of files to a remote server. It is written in Perl and should
work with Microsoft Windows and Linux and Unix variant operating systems.

A problem with Eupload 1.0 may make it possible for remote attackers to
gain access to sensitive information.

Eupload does not cryptographically protect stored passwords. Passwords
contained in the configuration file, password.txt, are stored in plain
text. They may be read by simply viewing the file. The file, password.txt,
is stored in a web accessible location and is, itself, accessible for
retrieval. Thus it is trivial for an attacker to obtain user passwords and
abuse the Eupload service.

This problem could allow an attacker to gain access to the passwords to
protected resources.

34. OpenSSL ASCII Representation Of Integers Buffer Overflow Vulnerability
BugTraq ID: 5364
Remote: Yes
Date Published: Jul 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5364
Summary:

Remotely exploitable buffer overflow conditions have been reported in
OpenSSL. This issue is due to insufficient checking of bounds with
regards to ASCII representations of integers on 64 bit platforms. It is
possible to overflow these buffers on a vulnerable system if overly large
values are submitted by a malicious attacker.

Exploitation of this vulnerability may allow execution of arbitrary code
with the privileges of the vulnerable application, service or client.

Oracle reports that CorporateTime Outlook Connector is only vulnerable
under Microsoft Windows 98, NT, 2K, and XP.

** This vulnerability was originally part of BID 5353, Multiple OpenSSL
Buffer Overflow Vulnerabilities. It has now been reissued as a separate
vulnerability.

35. T. Hauck Jana Server HTTP Proxy Server Request Logging Buffer Overflow Vulnerability
BugTraq ID: 5320
Remote: Yes
Date Published: Jul 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5320
Summary:

Jana Server is a server for Microsoft Windows based systems. Jana Server
provides a wide range of proxy servers, and a number of other services. A
HTTP proxy server is included.

A buffer overflow vulnerability has been reported in the HTTP proxy
server. The HTTP proxy server listens to TCP port 3128. If an extremely
long HTTP request is received, the server will crash when attempting to
log the request. This has been reported to be the result of a buffer
overflow condition.

The malicious request will take the following form:

GET / HTTP/[buffer].0

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Linux firewall/ISA Server (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285652

2. windows update reporting info back to MS? (and .NET fw SP1) (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285651

3. Windows 2000 special folder restrictions (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285645

4. W2000 Server lockout issue (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285650

5. local admin passwords (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285648

6. Flush.exe & Flushserv.exe (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285653

7. FW: secure remote management of nt4 and w2k servers (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285649

8. Good software against spam (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285550

9. IIS SMTP queue reader (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285536

10. Update Expert (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285389

11. HFNETCHKpro (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285372

12. change the nt-password in a other domain (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285362

13. HFNETCHKpro? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285365

14. Auditing ACL Changes (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285294

15. restricting MMC with GPO for SQL Enterprise Manager (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285147

16. Laptop Encryption (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285145

17. AW: hfnetchk reporting (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285129

18. Securing Laptops (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285128

19. Registry key for "QueryIpMatching" (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285136

20. Setting Account Lockout Policies with a NT PDC (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285131

21. hfnetchk reporting (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/285139

22. Anyone know this scan/tool? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/284963

23. FW: Anyone know this scan/tool? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/284947

24. Fw: Setting Account Lockout Policies with a NT PDC (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/284935

25. Issues/Concerns with Exchange 2000 SP3 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/284569

IV. MICROSOFT PRODUCTS
----------------------
1. Silver Key
by INV Softworks
Platforms: Windows 95/98, Windows NT
Relevant URL:
http://www.filecryption.com/products/skey/
Summary:

Encrypts files and produces self- extracting executable, which can be sent
safely over the Internet. No crypto software needs to be installed on the
receiving side. Silver Key supports Windows drag-and-drop and can compress
data before encryption. Integrated file shredder included.

2. STAT Scanner
by Harris Eletronic Systems
Platforms: Windows NT
Relevant URL:
http://www.statonline.com/
Summary:

STAT-NT performs a complete security vulnerability analysis of your
Windows NT resources using a unique database of over 400 entries. With a
single mouse-click the administrator can perform the analysis of a single
machine or the entire domain.

3. TGB::BOB!
by Thegreenbow
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.thegreenbow.com/bob.html
Summary:

TGB::BOB! is a Personal Firewall for Windows. It is amongst the most
efficient and easy-to use products in its category. TGB::BOB! protects
privacy, keeps hackers out and prevents from DOS (Denial Of Service)
attacks. It blocks Network attacks and monitors all incoming and outgoing
Network traffic and connection attemps. It also monitors all applications
accessing the Network.

V. MICROSOFT TOOLS
-------------------
1. Autopsy Forensic Browser v1.6
by @stake
Relevant URL:
http://www.atstake.com/research/tools/autopsy/
Platforms: N/A
Summary:

The Autopsy Forensic Browser is an HTML-based graphical interface to The
@stake Sleuth Kit (TASK). Together, TASK and Autopsy Forensic Browser are
an open source alternative to the common Windows-based digital forensic
tools. Autopsy provides an investigator with an HTML-based graphical
interface that allows one to browse images from compromised systems in a
"File Manager"-like interface. Windows and UNIX file systems can be
analyzed to view deleted files, create time lines of file activity, and
perform key word searches.

2. BO2Klean
by AK Secure
Relevant URL:
http://www.redsegura.com/bo2k/bo2k.html
Platforms: Windows 95/98, Windows NT
Summary:

AK Secure has just released BO2Klean, a freeware standalone application to
detect and clean the Back Orifice 2000 server. BO2Klean runs under Windows
95, 98, NT and 2000. Due to the high versatility of BO2k, BO2Klean has
built-in algorithms to detect variations of the original trojan. There may
be cases however in which the trojan goes undetected. A next version of
BOKlean will cover more "customizations" of BO2k. An English version and a
Spanish version are available.

3. EGADS v0.9
by Secure Software Solutions
Relevant URL:
http://www.securesw.com/egads/
Platforms: UNIX, Windows 2000
Summary:

EGADS is a system service and library for providing secure random numbers.
It contains an implementation of the Tiny pseudo-random number generator
and the Tiny entropy gateway. Tiny is an evolution of Yarrow, and was
designed by John Kelsey (an original designer of Yarrow) and John Viega.
We are currently preparing a white paper on the Tiny algorithm.

EGADS provides the same kind of functionality as /dev/random and
/dev/urandom on Linux systems, but works on Windows, and as a portable
Unix program.

EGADS is available as a portable user-level daemon for Unix systems, and
as a service for Windows 2000 machines. An XP-compatible version will be
available shortly.

4. DreamSys Server Monitor v3.1
by DreamSys Software
Relevant URL:
http://www.mikersoft.com/servermonitor/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:

Monitor servers over a network or the Internet. Connect, Receive, or Send
& Receive tests on TCP connections. Simple Ping tests. Test services on
remote machines, and restart services if necessary. Quick and Easy to use
Windows interface. Save/Load host lists as separate documents.

VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]